GPG keys management

Why using GPG?

There is no doubt that nowadays, to protect your privacy, you can not trust anyone. Neither companies, nor governements, … etc. You have to act by yourself. (I let you re-read the Snowden/Manning/*whistleblowers stories and conclusions)

Fortunatly, there are great tools for that.
New tools ? NO ! They are around for years and years!

Among them, there is the standard GnuPG (GPG) binaries which are the GNU port of the OpenPGP suite that is itself an open port of the PGP suite, initially written in 1991 by Phil Zimmermann.

Now, let’s create and publish a key that will help you to sign/encrypt your communication (i.e via your mail user agent like Gnus) or your files.

Create a GnuPG key

Generate your key

In order to generate a new GPG key, the command gpg --gen-key will help you by asking a few questions.

Add other identities to your key

Sometimes, you want to sign your communications or encrypt your file with a specific identity.
Let’s say that you have your own company and beside your personnal identity (My Name me@mail.com), you want to use your professional identity (My Name me@company-mail.com).

Two solutions:

You create another standalone key by starting a new gpg --gen-key session

You add a new identity to your existing key

In order to achieve the second solution, you just have to edit your key like this:

Send your key to main keyservers

Once you are done with the creation of your key and its setup, you have to publish them on signature servers.
It is necessary (mandatory) so that the different clients that will check your key can retrieve it and ensure the validity of the encrypted document (communication or files).

You can publish it on several trusted server. To do so, just run

gpg --send-key 3732BE06

This will take the main key server defined in your ~/.gnupg/gpg.conf (you can modify it if you want).
But maybe you want to publish it occasionnaly on a specific serrver. For this, just add the --keyserver option:

gpg --keyserver hkp://pgp.mit.edu --send-key 3732BE06

Now you are ready to sign/encrypt whatever you want and send it to whoever you want (well … not everybody, of course).

Export and import keys

Let’s say that you have two computer on which you want to be able to sign/encrypt some data with the same keyring.

For this, you can export your keys from the first one and import them in the second one.

If you do not wat to use your key, but use a standalone passphrase (symmetric encryption), use:

gpg --output secretfile.txt.gpg --symmetric secretfile.txt

And to decrypt your file, use:

gpg --output secretfile.txt --decrypt secretfile.txt.gpg

Easy, isn’t it ?

Revoke

Let’s say that some day you change your email address and you created a new key.
The previous one is not used anymore and it disturbs you to have an unused key still alive (and you are right).

To delete it from your keyring and from the network, here are some simple steps to follow.

First, generate a revocation key:

$ gpg --gen-revoke 3732BE06 > revoke.txt
sec 2048R/3732BE06 2014-09-30 My Name <me@mail.com>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key is no longer used
(No description given)
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "My Name <me@mail.com>"
2048-bit RSA key, ID 3732BE06, created 2014-09-30
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!

And finally publish the changes by sending it to the keys servers you published it:

gpg --send-key 3732BE06

(Don’t forget other servers you reached with the --keyserver earlier)

The last step is to delete the key from your local keyring:

$ gpg --delete-secret-key 3732BE06
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec 2048R/3732BE06 2014-09-30 My Name <me@mail.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

$ gpg --delete-key 3732BE06
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 2048R/3732BE06 2014-09-30 My Name <me@mail.com>
Delete this key from the keyring? (y/N) y